New security vulnerabilities impacting a well-known webmail platform have been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog. Based on convincing evidence that threat actors are actively exploiting two critical vulnerabilities discovered in Roundcube Webmail in the wild, the agency added them on February 20, 2026. This update draws attention to the persistent dangers of web-based communication tools.

It cautions businesses to immediately secure their email infrastructure. There are now two Roundcube vulnerabilities. Significant security flaws are represented by the recently added entries, which give hackers access to systems running susceptible software versions. Deserializing untrusted data is the first vulnerability.

This kind of vulnerability arises when an application handles user-supplied data incorrectly, giving an attacker the ability to change the logic of the application or run arbitrary code on the server. CVE-2025-49113 CVE ID Product Vulnerability Type Affected Component Impact Severity (CVSS)* Webmail by Roundcube PHP backend processing for deserializing untrusted data Through carefully constructed serialized input, remote attackers can alter application logic or run arbitrary code. Critical CVE-2025-68461 The round cube Webmail XSS, or cross-site scripting Input handling and web interface Malicious scripts can be injected by attackers, which could result in data theft or session hijacking.

High A Cross-Site Scripting (XSS) vulnerability is the second problem. XSS vulnerabilities usually enable attackers to insert malicious scripts into other users' web pages, which frequently results in session hijacking or the theft of private information.

Due to webmail interfaces' frequent exposure to the public internet, these vulnerabilities are regarded as common attack vectors for malevolent cyber actors. Find out more about our cybersecurity consulting services. Visual Studio Services for cloud security Attackers can obtain unauthorized access to email accounts, intercept private communications, or gain a foothold within a larger network by taking advantage of these flaws.

According to CISA, these particular vulnerabilities represent a serious risk to the federal enterprise and require security teams to take urgent action. Federal Directives and Remediation Binding Operational Directive (BOD) 22-01, "Reducing the Significant Risk of Known Exploited Vulnerabilities," governs the inclusion of these vulnerabilities in the catalog. The KEV catalog was created as a living list of CVEs that pose a serious risk to the federal government as a result of this directive.

In order to safeguard federal networks from ongoing threats, this mandate requires Federal Civilian Executive Branch (FCEB) agencies to address vulnerabilities found by certain deadlines. The goal of the directive is to prioritize vulnerabilities that hackers are actually using rather than just managing all vulnerabilities. CISA strongly encourages all organizations to adopt a similar urgency, even though the BOD 22-01 requirements are only legally binding for FCEB agencies.

As part of their regular vulnerability management procedures, private businesses, state governments, and critical infrastructure providers are encouraged to give prompt remediation of KEV Catalog vulnerabilities top priority. To lessen their vulnerability to these cyberattacks, organizations that use Roundcube Webmail should check for available security updates and apply patches right away.

As new exploitation evidence satisfies its requirements, CISA keeps updating the catalog on a regular basis. Learn more about Trojan horses. X for daily cybersecurity updates, LinkedIn, and GitHub Copilot for data breach protection.

To have your stories featured, get in touch with us.